Purl and Vers: The Mostly Universal Package URL and Version Ranges Identifiers for Dependencies and Vulnerabilities

The presentation discusses the challenges of package and dependency management in software development and proposes solutions such as using package URLs and a universal versioning system.

• The complexity of package and dependency management in software development makes it difficult to express boundaries between dependencies and automate the process.
• Solutions proposed include providing installation prerequisites, using a single package manager, and using general-purpose package managers such as Spack, Conda, Nix, and Guix.
• Package URLs can be used to name packages and a universal versioning system can be used to deal with version ranges.
• The universal versioning system can accommodate different versioning schemes and express version ranges in a universal way.

The speaker mentions the difficulty of identifying packages and their versions across different ecosystems. Package URLs provide a simple and obvious way to name packages, such as 'python/django'. The universal versioning system can also simplify versioning by accommodating different versioning schemes and expressing version ranges in a universal way.

Because no tech stack is an island running on a single programming language and in a single package ecosystem, we need a way to talk about packages and their versions across ecosystems. purl and vers are an attempt to solve this problem and express package dependencies and vulnerabilities using a common language among multiple tools, SBOM formats and tech stacks. We will present Package URL, a way to reference packages across ecosystems which is emerging as a de-facto standard identifier for open source software packages. And we will introduce a new universal notation for package version ranges, such as used when resolving package dependencies as in "I require package foo, version 2.0 or later versions" and referencing affected vulnerable package versions as in "vulnerability CVE-123 affects package bar, version 3.1 and version 4.2 but not version 5". These two mini standards pave the way towards (mostly) universal FOSS package naming and versioning for dependency resolution and vulnerability ranges references; and are emerging as essential to reliably process vulnerability data in the software supply chain.